PRIME and MoodlePKI José Luis Villarig García Webmaster University of Zaragoza

Presentation PRIME: European project to create an Identity Management System and provide guides for developers to follow its philosophy. Moodle: CMS, documents management and online courses management.Moodle MoodlePKI: Moodle extension developed for which joins Moodle with PKI tecnologies. –Objective: to make MoodlePKI follow PRIME philosophy and directives.

PRIME: Index PRIME –The Information Society –Risks in the IS –Can technologies help?: PRIME –PRIME The user The services provider The project Current state

The Information Society IT is improving services: –space, time ↓ => cost, energy, waste ↓ Technology has a huge potential to offer personalized and contextual services, which can bring more benefits in terms of convenience, effectiveness and efficiency. This depends on quality and availability of personal information to service providers –Importance of the right to privacy.

Risks in the IS Cost is no longer a major barrier to the collection of personal information => commonplace practice. –In the real world, we decide what information to give and when. Personal data are analysed to profile people and offer more personalized offers to gain a competitive edge. Risks: –Loss in privacy –SPAM –“Bad clients” lists. –SCAMs, frauds, phishing –Respect laws: Data protection, E-Commerce Directive...

Can technologies help?: PRIME There are lots of solutions for the problems or their consequences: –PKI systems. –Firewalls –Antivirus –… However, very few of them show users which data they are sending: that is PRIME’s principal focus.

PRIME: the user User-controlled identity management system where all the players concerned act together, mediated by technology to enforce the rules set by law and the contracting partners. The user has control of personal information and negotiates its disclosure in return for access to a service  agreement between the user and the service provider whereby the provider collects personal data for a stated purpose (which may include transmission of these data to other actors). All act within the bounds of law and the agreed terms between them. The PRIME project wants to create a prototype where the preceeding is made in every context. –Middleware.

PRIME: The service providers The service providers are fitted with appropiate counterparts of the user’s digital assistant integrated with their infrastructure: applications, databases, privacy policies, etc. Ensuring fulfillment of the agreement: –Gives users access to their disclosed data. –Facilitates dispute resolution. –Enables transfer of personal data on behalf of the individuals, with their consent, to other providers. –Enables the providers to negotiate agreements between themselves in strict compliance with the original agreement made with the user.

THE PRIME project The PRIME Consortium consists of 20 member organisations from industry (IBM, HP, Swisscom), universities (Milano, Kastadst), research centres and data protection. It receives a research funding of about 13M euros from the European Union's Sixth Framework Programme and the Swiss Federal Office for Education and Science. Its main purpose is developing the PRIME software mentioned before. Partial prototypes in some scenarios: E-Learning Pharmacy Finder Airport Security –Its developing is private. Only public videos can be found on PRIME webpage. –They are only small “aproximations” to PRIME final objective.

PRIME: actual state There aren’t PRIME prototypes Only partial and “close” developings in initial fase. PRIME has stated the basics and philosophy for the developing of the prototype => what requisites a IMS should comply, according to PRIME. A lot of tutorials and documents constating the importance of security and privacy and how to ensure it. More information:

Moodle and MoodlePKI: Index What is Moodle? Why Moodle on What MoodlePKI is System Design –Presentation modifications –Redirection –Authentification component –User accounts Future tasks

Moodle Moodle is: –A CMS, Content Management System –Online curses creation –Documentation Management System. Moodle web:

Why Moodle on Main requisites observed on 2003 for –Public part, which offers on Internet information about the project. –Needed a private workspace and a private contents part. –The private workspace should allow the project members to make their tasks, provide access to information and to project results. –Accesibility: Only a web browser should be needed. –Security requeriments. This requisites are only concrete cases of using CMS, groupware, process management…

MoodlePKI MoodlePKI is a project about security in information systems based on PKI which allows Moodle to respect the most exigent security standards. Initial application in In a place like Moodle, garanties can be needed about users identification, privacy, document vality, etc.  Providing Moodle with PKI techniques like: –Users identification and access control using digital certificates. –Electronic firm operations for sending documents. –Ensure security on communications –Using a encriptation system. –Electronic firm to ensure validation of the system objects (ie. documents, messages and forum posts). It can be made using PKI infraestructures and free software.

System Design Presentation modifications Design criteriums about aspect and posibilities of structure and organization of the graphical aspect of Moodle. These modifications (most of them about organization) changes the use and aspect of Moodle blocks and add other components. Redirection The user connects to In some moment, when the user attempts to access a protected content (for example, adding posts on news), Moodle calls to /login/index.php using HTTPwww.lefis.org /login/index.php has been modified to call an specific component for authentification tasks, making this authentification by https.

System Design 2: Authentification component After making a HTTPS connection, the user’s browser is forced to show the digital certificates stored: –It varies depending on the browser’s configuration. The authentification service obtains the certificate as a parameter of the secure connection. The web service that validates certificates and returns control information to Moodle works simultaneusly with digital certificates issued by different CA if we identify them as valid: –Spanish “Fábrica Nacional de Moneda y Timbre” certificates recognition is now on test phase.

System Design 3: User accounts A new user in the system meant a new PKI user, a new entry in the lefis database and a new moodle account  the information was replicated in three databases. The three databases are necesary. The key used to identify people and which allows to associate OpenCA accounts which Moodle ones is “ ”. Moodle applications for changing user data will be still there. –A task for the future will be that those modifications are made to the lefis database also so that Moodle’s database will at all time have congruent data with lefis database. When a user without a moodle account but with certificate and an entry on the lefis database enters the system, a new moodle account is made automatically in a transparent way. Error cases analized and solved: –No certificate givenNo certificate given –Bad certificateBad certificate –...

MoodlePKI future tasks Report generation Digital library system Complete integration of lefis database with moodle Workspaces for the WG. Exporting MoodlePKI as a module: –MoodlePKI is not yet an independent module. –We plan to improve it and make a module that can be used in other situations. MoodlePKI and PRIME –Without a PRIME prototype it is almost impossible to know how MoodlePKI will integrate with the PRIME solution. –However, some of the PRIME guides are present in MoodlePKI and our objective is to continue that path (for example, informing the user with detail of the use of all their data. Final security revision. … Other tasks to be foreseen.